Skip to content

Add new token creation callback page to improve current auth flow for integration purpose

Warren Gifford requested to merge bee/web-token into main

Created by: abeatrix

Closes https://github.com/sourcegraph/sourcegraph/issues/28311

Summary

This PR adds a new token creation callback page to improve the current auth flow for integration purposes, eg. VS Code Extension and JetBrain Extension.

Current Problem

Users rely on our access token to make API requests to Sourcegraph, and a lot of our extensions and features depend on it; however, The current auth flow to retrieve an access token is not seamless. See steps outlined in our docs.

Take VS Code for example:

  1. Visit the VS Code extension homepage
  2. Users are prompted to sign in / sign-up for a Sourcegraph account
  3. Perform sign-in / sign-up in browser
  4. Navigate to the User setting page
  5. Move to Access Token page
  6. Click Generate new token
  7. Fill in the description
  8. Click Generate token
  9. Copy the new token
  10. Move back to VS Code
  11. Paste the new token

Proposed Solution

A new token creation page that performs callbacks ( https://sourcegraph.com/user/settings/tokens/new/callback) that can be shared with different integrations as long as the URL params that are being passed in via the URL (https://sourcegraph.com/user/settings/tokens/new/callback?requestFrom=$SOURCE) is included in our predefined list. Once the source has been validated, it would redirect the user back to the source using the predefined redirect URL with the newly created token passing in as a new URL param, which then can be processed by the extension's URL handler (For the sourcegraph vs code extension, the link is vscode://sourcegraph/sourcegraph?code=$TOKEN)

See Loom Video here: https://www.loom.com/share/8a668f4624e349ce9358325f000fe9e5

The proposed auth flow for VS Code as an example:

  1. Users are prompted to sign-in / sign-up for a Sourcegraph account
  2. Perform sign-in / sign-up in browser
  3. The user will be redirected to the token creation callback page
    • It reads the url params and checks if the params are valid (if it is on the allow list)
    • If the param is valid, it will generate the token automatically
  4. User will be redirected back to the extension and the token will be imported via the built-in URL handler by the extension

Screenshots

VS Code Extension (VSCE)

  1. User sign in image

  2. Token will be created automatically and asked if they want to redirect back to the app image

  3. Token imported to app automatically without copying and pasting manually

SRC CLI

image

Test plan

Consulting with the Security Team (slack thread)

To test this PR:

  1. Set up a test instance using sg start
  2. In your VS Code User setting, set the URL to your test instance's URL: "sourcegraph.url": "https://sourcegraph.test:3443/"
  3. Change the name in the client/vscode/package.json from @sourcegraph/vscode to sourcegraph
  4. Follow this guide to build and run the extension

App preview:

Check out the client app preview documentation to learn more.

Merge request reports